- Use the external gateway router to bin unknown or unused protocols that are not required in the DMZ. This prevents the firewall processing from being swamped and acts as a second security skin. This traffic is binned using ACLs.
- Use private addresses in the DMZ and use the firewall to NAT to the external network. On the external gateway router bin all private addresses.
- Implement an IPS/IDS.
- Provide server protection – anti virus, anti spyware and anti rootkits.
- Data should not be stored in the DMZ that accepts incoming connections from the Internet or 3rd parties. A separate VLAN should exist that is traversed by a firewall to backhaul data for processing.
- Use reverse proxies in the incoming DMZ. This enables a system that has local data to be protected as it can be moved to an internal local network while still protecting the data.
- Use protected switch ports. Disable unused ports. Use port security to associate a MAC to a port.
- Aggregate Netflow data from the network devices and review reports daily.
- Review logs from network devices and servers. Search for an excessive number of failed logins.
- Force network devices to use an authentication service like Radius or TACACS+.
- Don’t deploy AD into the DMZs.
- Implement separate management VLANs for network devices.
- Don’t terminate incoming connections from the Internet ord 3rd parties on the internal network.
- Encrypt all data being backhauled from a DMZ.
This is the news and personal publishing site of Ronald Bartels that wanders on and off the subject of Information Technology. Mostly now the topics are about IoT and SD-WAN.
Comments
Post a Comment